标签搜索

华为eNSP防火墙基础实验

DebWa
2020-11-02 / 0 评论 / 153 阅读 / 正在检测是否收录...
温馨提示:
本文最后更新于2020年11月02日,已超过187天没有更新,若内容或图片失效,请留言反馈。

搭建拓扑图


请输入图片描述


R1端口配置


<R1>system-view 
Enter system view, return user view with Ctrl+Z.
[R1]interface GigabitEthernet0/0/1
[R1-GigabitEthernet0/0/1]ip address 100.1.2.1 24
[R1-GigabitEthernet0/0/1]quit
[R1]interface GigabitEthernet0/0/0
[R1-GigabitEthernet0/0/0]ip address 100.1.1.1 24

R2端口配置


<R2>system-view 
Enter system view, return user view with Ctrl+Z.
[R2]interface GigabitEthernet0/0/1
[R2-GigabitEthernet0/0/1]ip address 192.168.2.1 24
[R2-GigabitEthernet0/0/1]quit
[R2]interface GigabitEthernet0/0/0
[R2-GigabitEthernet0/0/0]ip add 192.168.1.254 24

FW1端口配置


<FW1>system-view 
Enter system view, return user view with Ctrl+Z.
[FW1]interface GigabitEthernet 1/0/0
[FW1-GigabitEthernet1/0/0]ip address 192.168.2.254 24
[FW1-GigabitEthernet1/0/0]quit
[FW1]interface GigabitEthernet 1/0/1
[FW1-GigabitEthernet1/0/1]ip add 192.168.2.254 24
[FW1-GigabitEthernet1/0/1]quit
[FW1]interface GigabitEthernet 1/0/2
[FW1-GigabitEthernet1/0/2]ip add 100.1.1.254 24

FW1安全区域配置


[FW1]firewall zone dmz
[FW1-zone-dmz]add interface GigabitEthernet 1/0/1
[FW1-zone-dmz]quit
[FW1]firewall zone untrust 
[FW1-zone-untrust]add interface GigabitEthernet 1/0/2
[FW1-zone-untrust]quit
[FW1]firewall zone trust 
[FW1-zone-trust]add interface g1/0/0

配置防火墙Web访问


[FW1]interface GigabitEthernet 0/0/0
[FW1-GigabitEthernet0/0/0]ip address 192.168.2.1 24
[FW1-GigabitEthernet0/0/0]service-manage all permit 

请输入图片描述


请输入图片描述


Web配置安全区域


请输入图片描述


FW1安全区域查询



[FW1] display zone
2020-11-02 07:07:47.470 
local
 priority is 100
 interface of the zone is (0):
#
trust
 priority is 85
 interface of the zone is (2):
    GigabitEthernet0/0/0
    GigabitEthernet1/0/0
#
untrust
 priority is 5
 interface of the zone is (1):
    GigabitEthernet1/0/2
#
dmz
 priority is 50
 interface of the zone is (1):
    GigabitEthernet1/0/1
#
[FW1]

配置网络互通(OSPF协议)


[R2]ospf 1 router-id 2.2.2.2
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]network 192.168.2.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]quit
[FW1] ip route-static 0.0.0.0 0.0.0.0 100.1.1.1
[FW1]ospf 1 router-id 11.11.11.11
[FW1-ospf-1] default-route-advertise              # 下发默认路由
[FW1-ospf-1] area 0
[FW1-ospf-1-area-0.0.0.0]  network 192.168.2.0 0.0.0.255
[FW1-ospf-1-area-0.0.0.0]  network 192.168.3.0 0.0.0.255

Web配置OSPF


请输入图片描述


请输入图片描述


请输入图片描述


请输入图片描述


R2查询路由


[R2]display ip routing-table 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 8        Routes : 8        

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   O_ASE   150  1           D   192.168.2.254   GigabitEthernet0/0/1
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
    192.168.1.0/24  Direct  0    0           D   192.168.1.254   GigabitEthernet0/0/0
    192.168.1.254/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/0
    192.168.2.0/24  Direct  0    0           D   192.168.2.1     GigabitEthernet0/0/1
    192.168.2.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/1
    192.168.3.0/24  OSPF    10   2           D   192.168.2.254   GigabitEthernet0/0/1
[R2]

Web配置NAT (PAT)


请输入图片描述


请输入图片描述


请输入图片描述


请输入图片描述

命令行配置NAT


# 放行策略
[FW1] security-policy
[FW1-policy-security] rule name Empolyee_outbound
[FW1-policy-security-rule-Empolyee_outbound] source-zone trust
[FW1-policy-security-rule-Empolyee_outbound] destination-zone untrust
[FW1-policy-security-rule-Empolyee_outbound] source-address 192.168.1.0 mask 255.255.255.0
[FW1-policy-security-rule-Empolyee_outbound] action permit
# 地址池
[FW1] nat address-group pool1 0
[FW1-address-group-pool1] mode pat
[FW1-address-group-pool1] section 0 100.1.1.100 100.1.1.100
# NAT策略
[FW1] nat-policy
[FW1-policy-nat] rule name Employee_outbound
[FW1-policy-nat-rule-Employee_outbound] source-zone trust
[FW1-policy-nat-rule-Employee_outbound] destination-zone untrust
[FW1-policy-nat-rule-Employee_outbound] source-address 192.168.1.0 mask 255.255.255.0
[FW1-policy-nat-rule-Employee_outbound] action source-nat address-group pool1

easy-ip WEB配置


请输入图片描述


命令行配置


[FW1]nat-policy
[FW1-policy-nat]rule name Employee_outbound-1
[FW1-policy-nat-rule-Employee_outbound-1] source-zone trust
[FW1-policy-nat-rule-Employee_outbound-1] egress-interface GigabitEthernet1/0/2
[FW1-policy-nat-rule-Employee_outbound-1] source-address 192.168.1.0 mask 255.255.255.0
[FW1-policy-nat-rule-Employee_outbound-1] action source-nat easy-ip

Web配置服务器映射


请输入图片描述


请输入图片描述


请输入图片描述


0

评论 (0)

取消